Smart Computer Group based on user's LDAP Group

hmn
New Contributor III

Hi there, 
I am trying to automate some processes based on our LDAP integration. 
At this we have a stable integration with our LDAP and all the tests are successful. (Settings: System > LDAP servers).
Group Names and GIDs are found. So far I was able to use the information for some configuration profiles. Now I want to use it for associating specific devices with a smart computer group but I am somehow stuck. 
Ultimately, it should result like this: If user is member of a specific LDAP group, then the user's device to be associated automatically with a specific computer smart group.  
In system > computer management, I created custom "extension attributes" to map the "Directory Service Attribute" "gidNumber" to the LDAP attribute for "GID". 
But it does not seem to work. Any idea what I am missing?

6 REPLIES 6

Tangentism
Contributor III

The way you can do it is to set the scoping as:

Targets: All Computers or Specific Computer Group
Limitations: Members of LDAP group

 

You cannot directly scope to an LDAP group.

Edit: You might be able to do an Extension Attribute that does a `dscl` query of the users group memberships (and maybe even filter it so if they are a member, it displays a true/false boolean) then base the computer group membership from that.

AJPinto
Honored Contributor III

As @Tangentism said this is done with a policy directly, not through a Smart Group. You would target all devices, or a group of devices, then assign a limitation to the LDAP group you want to target to limit the scope to users with the LDAP group within the targeted scope.

 

One thing to note is Jamf has no good way to know what a user's group membership is unless they log in to Self Service. In domain bound situations logging in to Self Service is not necessary, but in 2024 you should not be domain binding macOS.

 

It would look something like this. This policy is targeting all Macs and is limited to Mac_Users so only users with the Mac_Users LDAP group can see the policy.

AJPinto_0-1718113567372.png

AJPinto_1-1718113578338.png

 

hmn
New Contributor III

@AJPinto @Tangentism Thank you for your speedy response and sorry for my late response. I was in was able to also challenge the problem during the Jamf Nation event in Berlin directly with several Jamf reps from DE and US. It looks really like a blind spot. Accept for BYO, where you have more focus on assigning e.g. VPPs based on the Business Apple ID, there is not (yet) much implemented when it comes to think Identity first. At this stage it is clear, that MDM is centered about a device but if you look across the entire ecosystem of services (jamf pro, radar, protect) policies, dynamic group assignments can be a huge lift if it is read from the IdP. Let's see how it progresses. At least they saw the potential benefit to inherit more from the IdP.


Thank you!

julienvs
New Contributor III

Couldn't agree more.

They want us to focus on security but a better integration with Cloud IdP is one of the pieces of the puzzle.

hmn
New Contributor III

I started now to "hack" the setup a bit. In my cloud IdP I am setting a numeric identifier in the user's phone number value (we do not use it). This parameter I read in Jamf and assign the machine to specific configurations. I just create no smart computer groups based on the phone number and use this for scoping. Ultimately this would work more scaleable...

hmn
New Contributor III

and it works :)